I have an ASP.NET MVC 5 application where I want to authorize users to access specific content via roles. These roles will be passed in through the application headers. After exploring ASP.NET membership, it seems like the membership information is normally supposed to be stored in a table, but I do not need/want this. I simply need to take the role from the header when the user accesses the application, and then access it later (ideally) using ASP.NET membership to use data annotations in my models and/or views to control who can see what information.
I apologize if this is sort of ambiguous, I am just not sure where to start since I cannot seem to find an example of someone simply taking the role from the headers without storing this information in a membership table.
Thanks!
Related
This might be a stupid question to ask but I am kind of a confuse here I am working on an ASP.NET web forms application and I need to implement roles base access to users.
This application is working with Active Directory so there is no login forms and form base authentication and I can't use User.Identity to check the roles. I am getting roles from a stored procedure like 1 for admin 2 for user and I want to know if there is a way to implement it generically like set some attributes to add in the controls to show and hide them instead of go and implement if conditions in every form.
I am not sure if I presented my point clearly here or not but please let me know if you get the idea of what I am trying to say. Thank you.
In my ASP.NET 3.5 application, on the ASPX pages I have to implement role based data update policy.
If a user have lest privilege, he can still update some filed but not all. Where user with maximum privilege can update all filed on page.
I was trying to implement this using a generic approach, but not sure if .NET have some thing inbuilt to implement this.
What is the right approach here?
Yes, you will want to utilize ASP.NET Membership. Once you have that in place, you can check roles on a user, like so:
if (Roles.IsUserInRole("User1", "Role1"))
// allow whatever you need to
If you are using the asp.net membership provider, you can limit the content on the page based on the roles the user is in
I'm using aspnet memberhips database for authorization and authentication for my azure web application.
This aspnet application contains the employees details. All good until we got new requirment. The new requirement is to in include lots of extra attributes related to employees such as awardcode, costcentre, division, location etc...
The requirement is also to admin these details via Admin portal.
Is there any way we can fit the above requirement with in aspnet database? Should I add extra tables and fields or there's a better way of acheving this.
Thank you.
You might want to consider the ASP.NET Profile provider. It's another component of the Membership framework. It stores a somewhat dynamic list of user properties in the database, typically in the aspnet_Profile table. You can get a lot of functionality for free by making additions to Web.config, or you can customize heavily by implementing a custom profile provider. Here are some links to get started:
http://msdn.microsoft.com/en-us/library/014bec1k.aspx
http://msdn.microsoft.com/en-us/magazine/cc163457.aspx
There have been times though when this approach wasn't a great fit for me, so I simply created a separate UserRecord table in the database with exactly the columns I wanted, and added some views to the database that joined UserRecord with the bulitin aspnet_Membership table, etc., to get the right combination of data.
I have an ASP.Net MVC application and I'm using Forms authentication in SQL Server. This sets up the authentication and authorization for me. However, I have other person-based data that I need to track as well, such as the person's phone number, department, their charge-out rate, start date, etc.
WHAT the person can do (which is controlled by ASP.Net security) is related to WHO they are (which is controlled by my application).
Is there a best practice for linking ASP.Net with my application data to get a more complete person object? Can I simply extend the information in the ASP.Net tables? Is it better to keep it separate? Has anyone got any tips or links for guidance?
Since you are already using ASP.NET Forms Authentication the ASP.NET RoleProvider which can be integrated into MVC via the Authorize attribute is just as easy to setup.
And you get something like this:
[Authorize(IsInRole="Chef")]
public ActionResult Cook() { // snip ...
And if you did use all that, there's also the ProfileProvider for ASP.NET which generates profile code for you with full intellisense support. You can customize which fields you want and what data types it should be stored in etc. etc.
Both the Role Provider and Profile Provider can be customized or roll-your-own, there are many many articles on the internet that will tell you how.
Using the ASP.NET providers also gives you the benefits that the data is maintained automatically throughout the ASP.NET request processing pipeline, e.g. you can access this property:
HttpContext.Current.Profile
...from almost anywhere.
Use the built-in functionality for Profile Properties to store additional data about your users.
I want to add login for registered users in my website. How shall I proceed with it? Is it through the use of sessions? What will happen to the Session variable once the logout happens??
Your question is extremely broad and there are many different ways that you can implement what is, in effect, a "membership" system for an ASP.NET website.
I would suggest that you start by reading the "Introduction to Membership" article from MSDN. This article will give you an overview of how ASP.NET membership works in the most "standard" way.
It also mentions using the various ASP.NET membership "controls" (Login, LoginView, LoginStatus & PasswordRecovery for example).
Using these controls along with the built-in ASP.NET membership providers (for example, ASP.NET provides a SQL membership provider to work against SQL Server as the data store for your user accounts and credentials) will allow you to implement a complete membership and authentication system with virtually no code at all (i.e. all the functionality is provided by the built-in "membership" controls and declarative mark-up).
Finally, a really good series of articles on this subject is:
Examining ASP.NET 2.0's Membership, Roles, and Profile
from the 4guysfromrolla site. It's starts at the very beginning of the membership topic and goes right the way through to touching on the implementation of a custom membership provider and administrative interface for managing user credentials to round out the whole subject.
I'd take a look a related questions, such as
Login Membership .NET
This topic is already covered quite a lot on SO.
Session state and log in are somewhat orthogonal. You have a session regardless of whether or not you are logged in.
You should use the provided Login control and Membership system.
About Session vars, nothing special will happen. ASP.NET forms authentication does not use SessionState by default.
I would recommend using forms authentication with perhaps a custom backend using IIdentity and IPrincipal. There’s lots of information available how to do this but I think this link forms a good starting point http://msdn.microsoft.com/en-us/library/aa480476.aspx